Installing Kerberos on Windows, for use with PuTTY and WinSCP

Intended for:

Kerberos users and system administrators.

Scenario/Use case:

This article provides instructions on how to install and configure the Kerberos software on your Windows system. This software, when used with the PuTTY telnet/ssh client and the WinSCP SCP/FTP client, allows you to authenticate to Kerberos, open Kerberized connections to remote machines, and encrypt your data transmissions.

Note that while the configuration described in this article complies with the Fermilab Policy on Computing and some divisions are recommending and supporting it, it is not formally supported by the Computing Sector.

Instructions:

Getting Ready - Choices

Kerberos for Windows (KfW) is available from MIT. This version includes a ticket manager application similar to the NetID Manager application. The version from Secure Endpoints is no longer available. The page at MIT contains more detailed documentation.

Obtain a Kerberos Principal

First, verify that you have administrator privileges on the PC. Next, you need to obtain a Kerberos principal and initial password for the FNAL.GOV realm. See section Your Kerberos Principal. Use the ServiceNow form Computing Username and Primary Accounts.

Installing MIT Kerberos for Windows

MIT KfW V4.1 is the version recommended (it is nearly the same as that installed on all the FERMI Domain Windows machines and includes the Network Identity Manager).

1. Log into an account with administrator privileges.
2. Download the Kerberos client software from MIT. First browse to: http://web.mit.edu/kerberos/.

   This brings you to the MIT Kerberos page. Under Download, click on the link to Sources and binaries from MIT. Scroll down to the MIT Kerberos for Windows section and click. Next, click on the file listed next to Installer. Save the file to disk.

3. Once this file is copied on to your machine, execute it to install the Kerberos program. You will be asked a series of questions, but you can safely use the defaults, and just click through the screens. Checking the time synchronization when prompted is a good idea. The software gets installed under C:\Program Files\Kerberos by default.
4. After installing the files, it will ask if it's OK to restart your computer. Say yes.
    

Configuring MIT Kerberos (only)

After you install Kerberos for Windows from MIT, you need to provide the Fermilab Kerberos configuration file.

1. Log back on to the same account.
2. Create the configuration file krb5.ini as listed in section krb5.conf for FNAL.GOV or FERMI.WIN.FNAL.GOV, and put it in your following location, C:\ProgramData\MIT\Kerberos5\krb5.ini. The krb5.ini file is comparable to the krb5.conf on UNIX.

Installing Kerberos Client Progams

PuTTY is an open-source terminal emulator program which supports Kerberized ssh (as well as telnet). The PuTTY package also includes the command line programs plink, pscp, and psftp. These are similar to the Linux ssh (when used to execute a command a remote system),  scp , and  sftp commands. The latest PuTTY news can be found on the PuTTY Home Page. Get PuTTY by downloading the Windows installer for everhting from the Fermilab Kerberos for Windows and running the installer. If you wish, choose a Custom Install and select the check box to Create a desktop icon for PuTTY. If you plan on using the command line utilities plink and pscp, add the installed location of PuTTY (default is C:\Program Files (x86)\PuTTY on 64-bit systems) to the system-wide PATH environment variable using the System control panel Advanced System Settings, click on the Environment Variables button. Additionally, Fermilab community-supported instructions for configuring and using PuTTY with Windows are available here.

WinSCP is a free GUI file transfer client which supports the SCP and SFTP protocols. News on the latest WinSCP can be found on the WinSCP Home page. Download the WinSCP installer from the Fermilab Kerberos for Windows and execute it (you can also download PuTTY from this same page). Note, the installer also wants to install Google Chrome, be sure to uncheck the box if you do not want Chrome installed.

Documentation for PuTTY is available from the PuTTY Docs page in a variety of downloadable formats as well as an online HTML version. Online documentation for WinSCP can be found here.

Getting a Ticket

MIT KfW v4.1 includes a Ticket Manager Application similar to NetID Manager. The Ticket Manager can manage multiple identities including renewing credentials as needed. Ticket Manager lives in the taskbar notification area (lower right side of screen), right-click on its icon (its the one with the silhouette of a K) and select MIT Kerberos Window. Note, the following details for configuring and using MIT Kerberos for Windows v4 and may differ from other versions and NetIdMgr.

In the Ticket Manager window, select Get Ticket. Enter the principal name (user@FERMI.WIN.FNAL.GOV or user@FNAL.GOV) and the password for that principal. Ensure that the options for "Remember this Principal," "Forwardable and Proxiable," and "Renewable" are selected. Click OK.

Once identities are configured in Ticket Manager, credentials can be controlled. If you are going to use PuTTY, you will want to select one identity as default by selecting the identity selecting Default on the main screen.

Alternatively, you can invoke the command prompt and type kinit to request a ticket. You will be required to enter your Kerberos password. To verify the ticket and its flags, type klist -f at the command prompt.

Configuring the PuTTY Application

Create a new SSH Profile for Kerberized Host

You should create one profile for each Kerberized host you wish to access.

1. Use Ticket Manager or kinit to get Kerberos Credentials if you are going to Open a connection.
2. Start the PuTTY application. The PuTTY Configuration window will appear.
3. Make sure SSH is selected under Connection type.
4. In the Connection > Data section, type your Kerberos username in the Auto-login username box.
5. In the Connection > SSH > Auth > GSSAPI section, check the boxes for the Attempt GSSAPI authentication and Allow GSSAPI credential delegation settings. The credential delegation setting is important as it allows forwarding of your Kerberos credentials to the remote system.
6. If you have an X server installed on your PC, go to the Connection > SSH > X11 section and check Enable X11 forwarding.
7. In the Session section, type Default Settings in the Saved Sessions box. Click Save. You have now saved your default settings.
8. In the Session section, type your destination hostname in the Host Name box. You can also type username@hostname if you are logging in as a different user.
9. Click Open to log in. If you don't already have a valid Kerberos ticket, a dialog will pop up asking for your Kerberos username and password.
10. You can also enter a name in the Saved Sessions box and click Save for future use. To use a saved session, click on the session name in the Saved Sessions list to select and then click Load and then Open.
    
    

Create a new Telnet or non-Kerberized SSH Profile for non-Kerberized Host

You should create one profile for each host you wish to access.

1. Start the PuTTY application. The PuTTY Configuration window will appear.
2. Select either Telnet or SSH under Connection type.
3. In the Connection > Data section, type your username in the Auto-login username box.
4. If using SSH, in the Connection > SSH > Auth > GSSAPI section, un-check the boxes for Attempt GSSAPI authentication and Allow GSSAPI credential delegation.
5. If using SSH and you have an X server installed on your PC, go to the Connection > SSH > X11 section and check Enable X11 forwarding.
6. In the Session section, type your destination hostname in the Host Nam" box. You can also type username@hostname if you are logging in as a different user.
7. Click Open to log in or you can enter a name in the Saved Sessions box and click Save for future use. To use a saved session, click on the session name in the Saved Sessions list to select and then click Load and then Open.
8. If you click Open, you will need to log in normally
   
   

Connect to Kerberized Host using SSH Profile

1. Use Ticket Manager or kinit to get Kerberos Credentials.
2. Start the PuTTY application. The PuTTY Configuration window will appear.
3. In the Session section, type your destination hostname in the Host Name box. You can also type username@hostname if you are logging in as a different user.
4. Click Open to log in. If you don't already have a valid Kerberos ticket, a dialog will pop up asking for your Kerberos username and password.
5. You can also enter a name in the Saved Sessions box and click Save for future use. To use a saved session, click on the session name in the Saved Sessions list to select and then click Load and then Open. To use a saved session, click on the session name in the Saved Sessions list to select and then click Load and then Open.

Configuring the WinSCP File Transfer Application

WinSCP is a GUI file transfer client which supports the SCP and SFTP protocols.

1. Start WinSCP. The WinSCP Login window will appear.
2. Select the New Site item on the left.
3. Click Advanced to bring up the Advanced Site Settings dialog.
4. Click SSH > Authentication in the pane on the left.
5. Check the Attempt GSSAPI authentication and Allow GSSAPI credential delegation boxes.
6. Un-check the Attempt authentication using Pageant and Attempt `keyboard-interactive' authentication (SSH-2) boxes.
7. Click OK to dismiss the Advanced dialog.
8. Type your Kerberos username in the User name: box.
9. Click the arrow in the Save button and select Set Defaults. Click OK.
10. Type your destination host in the Host name: box.
11. Click Save to save as a named site.

krb5.conf for FNAL.GOV or FERMI.WIN.FNAL.GOV

Kerberos for Windows looks for the Kerberos configuration file at C:\ProgramData\MIT\Kerberos5\krb5.ini. The krb5.ini file is comparable to the krb5.conf on UNIX.

Other possible locations for the configuration file:

• C:\ProgramData\Kerberos\krb5.conf (currently used by KfW in the FERMI Domain)
  
• C:\ProgramData\MIT\Kerberos5\krb5.ini
  
• C:\ProgramData\MIT\Kerberos\krb5.conf
• C:\Windows\krb5.ini (used by older versions of KfW)

The standard Fermilab Kerberos configuration file krb5.conf can be used to make a krb5.conf file for Windows. See The Kerberos Configuration File: krb5.conf for instructions on obtaining a copy of this file and a description of its contents. You can download a copy of krb5.conf configured for the FERMI Windows domain from http://metrics.fnal.gov/authentication/krb5conf/.

If you wish to use the FNAL.GOV realm as the default, just copy the krb5.conf file to C:\ProgramData\Kerberos\krb5.ini.  If your Windows is a member of the FERMI Domain or you wish to use the FERMI Domain as the default realm, then you need to modify one line in krb5.ini. The line in krb5.ini which reads:

default_realm = FNAL.GOV

should be changed to read as:

default_realm = FERMI.WIN.FNAL.GOV

See Also:

• Strong Authentication at Fermilab